WEBVTT

0:00:04.700000 --> 0:00:07.280000
 Detection Rules versus alerts.

0:00:07.280000 --> 0:00:12.680000
 So in the previous video within this section,
 which is going to be a relatively

0:00:12.680000 --> 0:00:18.380000
 short section on a detection engineering,
 I introduced you to detection

0:00:18.380000 --> 0:00:22.420000
 engineering and we talked
 about detection rules.

0:00:22.420000 --> 0:00:27.740000
 And, you know, we, in addition to that,
 explore the various types of detection

0:00:27.740000 --> 0:00:33.020000
 rules and, you know, examples
 of what they look like.

0:00:33.020000 --> 0:00:38.360000
 However, one, you know, common misconception
 or one of the things that

0:00:38.360000 --> 0:00:42.940000
 I typically see when, you know, introducing
 detection engineering and

0:00:42.940000 --> 0:00:48.460000
 more specifically detection rules and
 alerts is the confusion between

0:00:48.460000 --> 0:00:55.020000
 the two from the point of view of,
 you know, where they begin and end,

0:00:55.020000 --> 0:00:59.820000
 you know, in terms of what they mean
 on the same platform, et cetera.

0:00:59.820000 --> 0:01:05.100000
 And so it's very important to understand
 the difference and, you know,

0:01:05.100000 --> 0:01:09.720000
 most likely that difference was understood
 in the previous video, but

0:01:09.720000 --> 0:01:16.180000
 I think I need to, I need to be very
 specific here or I need to ensure

0:01:16.180000 --> 0:01:18.640000
 that you understand the difference
 between the two.

0:01:18.640000 --> 0:01:26.760000
 So generally speaking, when we were performing
 our searches or, you know,

0:01:26.760000 --> 0:01:33.940000
 creating various searches in the effectively
 using Splunk Lab and Consequent

0:01:33.940000 --> 0:01:42.020000
 Video, or I should say subsequent video,
 we were essentially, in essence,

0:01:42.020000 --> 0:01:48.240000
 creating detection rules for specific
 malicious activity, right?

0:01:48.240000 --> 0:01:51.000000
 And that's what we had covered.

0:01:51.000000 --> 0:01:55.200000
 And of course, when we're talking about
 creating searches, in that case,

0:01:55.200000 --> 0:02:02.660000
 it was with ELK, we were essentially
 using Lucene, you know, to write

0:02:02.660000 --> 0:02:09.960000
 our searches. That is, in essence, what
 we would typically do, you know,

0:02:09.960000 --> 0:02:14.320000
 when we wanted to, you know, formally
 create alerts, we're essentially

0:02:14.320000 --> 0:02:18.600000
 creating a search for a specific, you
 know, type of activity, whatever

0:02:18.600000 --> 0:02:25.100000
 that may be. It could be, you know,
 looking to find logs that have, or

0:02:25.100000 --> 0:02:28.120000
 are related to a specific
 Windows event ID.

0:02:28.120000 --> 0:02:29.940000
 Doesn't really matter.

0:02:29.940000 --> 0:02:36.840000
 The question is, you know, what happens
 or, you know, when you've created

0:02:36.840000 --> 0:02:42.500000
 what you believe is a good detection
 rule, how do you move from that to

0:02:42.500000 --> 0:02:46.720000
 creating an alert logically
 speaking, right?

0:02:46.720000 --> 0:02:49.460000
 So let's, you know, go
 through this together.

0:02:49.460000 --> 0:02:53.080000
 So in platforms like, you know, Splunk
 and Elastic, and I'm only, I'm

0:02:53.080000 --> 0:02:55.840000
 only specified these two because they're
 the only ones we've used thus

0:02:55.840000 --> 0:03:00.380000
 far, a detection rule defines the logic
 or pattern used to identify suspicious

0:03:00.380000 --> 0:03:01.760000
 or malicious activity.

0:03:01.760000 --> 0:03:05.100000
 So that's all a detection rule is.

0:03:05.100000 --> 0:03:09.700000
 The only reason we add the word rule
 there is because we're using it as

0:03:09.700000 --> 0:03:13.840000
 a rule, right? To do something
 or to detect specific activity.

0:03:13.840000 --> 0:03:20.600000
 And of course, you know, the, based
 on this description, the rule can

0:03:20.600000 --> 0:03:25.340000
 be anything like, you know, matching
 specific event IDs, process names,

0:03:25.340000 --> 0:03:27.060000
 or behavioral indicators.

0:03:27.060000 --> 0:03:30.880000
 And it essentially describes
 what to look for.

0:03:30.880000 --> 0:03:35.580000
 An alert, on the other hand, is the
 response mechanism triggered when

0:03:35.580000 --> 0:03:39.120000
 the conditions of a detection
 rule are met.

0:03:39.120000 --> 0:03:44.140000
 And of course, I may have explained
 this or you may have seen, you may

0:03:44.140000 --> 0:03:48.600000
 have seen this in action or, you know,
 for example, when we're going through

0:03:48.600000 --> 0:03:53.700000
 previous lab demos, when I explained
 that, you know, the search is what

0:03:53.700000 --> 0:03:59.140000
 we use to trigger or to define, you
 know, the trigger for an alert.

0:03:59.140000 --> 0:04:04.420000
 So an alert just to go over it again
 is the response mechanism triggered

0:04:04.420000 --> 0:04:07.780000
 when the conditions of a
 detection rule are met.

0:04:07.780000 --> 0:04:10.420000
 And it, in essence, specifies what to do.


0:04:10.420000 --> 0:04:15.060000
 And an example of that would be sending
 an email, creating a ticket or

0:04:15.060000 --> 0:04:21.800000
 login incident. It's typically an alert
 will, you know, the action of

0:04:21.800000 --> 0:04:28.160000
 an alert is to inform a particular
 person or to bring to attention a,

0:04:28.160000 --> 0:04:34.120000
 you know, bring a particular incident
 or event to the attention of the

0:04:34.120000 --> 0:04:36.280000
 person who is best placed
 to deal with it.

0:04:36.280000 --> 0:04:42.560000
 So while the detection rule is the analytical
 component, the alert operationalizes

0:04:42.560000 --> 0:04:47.800000
 it by enabling timely notification
 and response, making both elements

0:04:47.800000 --> 0:04:51.640000
 crucial for effective threat monitoring
 and incident response.

0:04:51.640000 --> 0:04:55.700000
 So this particular table sort of describes
 the difference between the

0:04:55.700000 --> 0:05:01.120000
 two and also shows you where one begins
 and when the other where one begins

0:05:01.120000 --> 0:05:03.380000
 and ends and where the
 other comes into play.

0:05:03.380000 --> 0:05:11.320000
 So on the left, most column or the
 first column, you have the sort of

0:05:11.320000 --> 0:05:14.840000
 criteria for distinguishing that we'll
 be using to distinguish between

0:05:14.840000 --> 0:05:18.880000
 the two. So definition, function, components,
 example, and where they're

0:05:18.880000 --> 0:05:23.380000
 used. And so in the case of the definition,
 starting off with the detection

0:05:23.380000 --> 0:05:28.000000
 rule, this is, as I've said, three times
 now, one in the previous video,

0:05:28.000000 --> 0:05:31.780000
 a detection, a detection rule is a
 logic based rule that defines what

0:05:31.780000 --> 0:05:33.400000
 suspicious activity looks like.

0:05:33.400000 --> 0:05:38.880000
 So in essence, an elk search that we constructed
 to find, let's say, activity

0:05:38.880000 --> 0:05:42.380000
 or logs pertinent to a particular
 Windows event ID, right?

0:05:42.380000 --> 0:05:44.280000
 And what is an alert in this context?

0:05:44.280000 --> 0:05:47.140000
 It's the action triggered when
 a detection rule is met.

0:05:47.140000 --> 0:05:55.500000
 So what happens when the SEAM detects,
 or when there is a detection of,

0:05:55.500000 --> 0:06:01.000000
 you know, a particular log that is pertinent
 to a specific Windows event

0:06:01.000000 --> 0:06:05.520000
 ID. So the function of a detection rule
 is, you know, it describes what

0:06:05.520000 --> 0:06:09.760000
 to detect. The function of an alert is
 to, is that it, you know, describes

0:06:09.760000 --> 0:06:12.240000
 what to do when it is detected.

0:06:12.240000 --> 0:06:16.980000
 So the components of a detection rule
 would be, you know, a query or pattern

0:06:16.980000 --> 0:06:18.320000
 plus a condition.

0:06:18.320000 --> 0:06:22.600000
 So for example, event code is equal
 to, you know, a particular event ID

0:06:22.600000 --> 0:06:26.200000
 in this case, or the case of
 this example, 4, 7, 3, 2.

0:06:26.200000 --> 0:06:30.080000
 In the, you know, in the case of the alert,
 the components are the notification

0:06:30.080000 --> 0:06:34.260000
 method plus the threshold
 plus the response actions.

0:06:34.260000 --> 0:06:37.840000
 An example of a detection rule would
 be detect accounts added to the admin

0:06:37.840000 --> 0:06:43.900000
 group. An example of an alert would
 be send an email if the above or the

0:06:43.900000 --> 0:06:49.740000
 detection rule we just outlined earlier
 is triggered, right, or triggers.

0:06:49.740000 --> 0:06:54.940000
 And in terms of, you know, where they're
 used, detection rules are used,

0:06:54.940000 --> 0:06:59.300000
 you know, detection logic, threat
 hunting, sock triage, etc.

0:06:59.300000 --> 0:07:03.560000
 In terms of alerts, they use for incident
 notification, automation, escalation,

0:07:03.560000 --> 0:07:06.120000
 etc. So just wanted to clarify that.

0:07:06.120000 --> 0:07:09.040000
 And I think I can sort of summarize
 everything that I've covered in this

0:07:09.040000 --> 0:07:11.980000
 video thus far with the following
 two statements.

0:07:11.980000 --> 0:07:14.840000
 And that is a detection rule
 is what to look for.

0:07:14.840000 --> 0:07:20.060000
 An alert is what to do when it's found
 or what you're looking for has

0:07:20.060000 --> 0:07:25.740000
 been found. And of course, this is
 sort of the core functionality that

0:07:25.740000 --> 0:07:28.200000
 a scene should provide you with.

0:07:28.200000 --> 0:07:34.000000
 And when it comes down to, you know,
 a question that you may have or some

0:07:34.000000 --> 0:07:41.540000
 of you may have with regards to whose job
 it is to create an alert, specifically

0:07:41.540000 --> 0:07:47.440000
 an alert. That's not really something
 that is important to us.

0:07:47.440000 --> 0:07:51.720000
 The only thing that is important is
 to create, whether you're a threat

0:07:51.720000 --> 0:07:57.400000
 hunter, an incident responder is to accurately
 identify the type of activity

0:07:57.400000 --> 0:08:01.680000
 that, again, you deem or is deemed malicious
 or interesting or warranting

0:08:01.680000 --> 0:08:08.460000
 or that warrants an alert to be, you
 know, created or that warrants for

0:08:08.460000 --> 0:08:09.860000
 an alert to be triggered.

0:08:09.860000 --> 0:08:15.000000
 So that's all that I wanted to state
 in this video and in this section.

0:08:15.000000 --> 0:08:19.200000
 And now that we've gone through, you
 know, detection engineering in so

0:08:19.200000 --> 0:08:23.960000
 far as it's relevant to you as an incident
 responder or aspiring incident

0:08:23.960000 --> 0:08:29.600000
 responder, we can turn our attention
 to some other important aspects of

0:08:29.600000 --> 0:08:34.220000
 detection before finally turning our
 attention to analysis, which is where

0:08:34.220000 --> 0:08:35.720000
 the good stuff happens.

0:08:35.720000 --> 0:08:38.040000
 In any case, that's going
 to be it for this video.

0:08:38.040000 --> 0:08:40.300000
 And I will be seeing you
 in the next video.